<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><tt>Hi Denis,</tt></p>
<p><tt>Regarding the "52 calls" vs. 25/30 limits, are you sure all
52 calls were made by the same user? Keep in mind that all fraud_detection
module stats are per-user counters, and not global counters. If
they really were all made by the same user, please let me know
and I will double-check my tests.<br>
</tt></p>
<p><tt>The "cpm", "total_calls" and "concurrent_calls" reset either
on an interval change or at midnight (new day ahead). This leads
to a possible undetected abuse of up to 2x your provisioned
"cpm", "total_calls" or "concurrent_calls", if the malicious
user places "limit - 1" events before the reset, followed by
another "limit - 1" events past the reset. If this is too much
for you, then your provisioned limits (thresholds) are
incorrect, and you should simply cut them in half.<br>
</tt></p>
<p><tt>Best regards,<br>
</tt></p>
<pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 22.03.2018 09:59, Denis via Users
wrote:<br>
</div>
<blockquote type="cite" cite="mid:181311521705588@web5g.yandex.ru">
<div>Hello!</div>
<div> </div>
<div>Is there any idea about the problem?</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div>16.03.2018, 15:22, "Denis via Users"
<a class="moz-txt-link-rfc2396E" href="mailto:users@lists.opensips.org"><users@lists.opensips.org></a>:</div>
<blockquote type="cite">
<div>Hello!</div>
<div> </div>
<div>I am sorry that it was early, but anyway.</div>
<div> </div>
<div>Server:: OpenSIPS (2.2.5 (x86_64/linux))</div>
<div> </div>
<div>Fraud_module has been activated.</div>
<div> </div>
<div>Profile data</div>
<div> </div>
<div><img src="cid:part1.FAFBCD1D.67A34EC4@opensips.org"
class=""></div>
<div> </div>
<div>17.02.18 20:55 Opensips received first fraud call.</div>
<div>And before Opensips detected fraud there were 52 yet calls
to 810 prefix.</div>
<div> </div>
<div>First question is why it didn`t detected fraud early
(dialing with total_calls, for example)?</div>
<div> </div>
<div>Then.</div>
<div> </div>
<div>Till the end of 17.02 Opensips blocked the calls from
client to 810, but in 18.02 i can see success fraud calls to
810 from the client again.</div>
<div> </div>
<div>Second question is why? Opensips resets count every new
day?</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-- </div>
<div>С уважением, Денис.</div>
<div>Best regards, Denis</div>
<div> </div>
<div> </div>
<div> </div>
,
<p>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>